WizCase’s security team discovered an unsecured ElasticSearch server owned by AMT Games which exposed 1.47 TB of data.
This leak exposed users’ email addresses, IP addresses, Facebook data, and more to potential attack. The leaked data numbers in the millions and was accessible to anyone who possessed the link. There was no need for a password or login credentials to access the information, and the data was not encrypted. The leak has since been secured.
AMT Games is a mobile and browser game developer based in China. Its free-to-play mobile game, Battle for the Galaxy, has millions of users in 103 countries, and the app can be found on Android, iPhone, Steam, and its own website as an in-browser game.
Our team of ethical hackers discovered an unsecured ElasticSearch server owned by AMT Games which exposed 1.47 TB of data. We tried to reach out to AMT games however we haven’t received a response, and access to the server was later disabled by AMT games.
What Data Was Leaked?
The AMT Games database leaked approximately 5.9 millions player profiles, 2 million transactions, and 587,000 feedback messages.
Feedback message data contained Account id, feedback rating given, and users’ email addresses.
Transaction data encompassed price, item purchased, time of purchase, payment provider, and in some cases IP address of the buyer. Payment providers included Google, Apple, Steam, Amazon, Samsung, Facebook, and more.
Player profile data included Player id; username; country; total money spent on the game; and even Facebook, Apple, and Google account data if the user linked either account with their game account. The leaked account data included in-game transaction history, user id, and username. In a sampling of the player profile data, the WizCase security team found that users could spend as much as $907 on the game via in-app microtransactions in the 10,000-player sample from 2019-2020 our team observed.
This sample revealed concerning patterns in the mobile game. Of the 10,000 players sampled, 8,552 users made 0 in-app purchases; 764 spent less than $1 on in-app purchases; 651 spent between $1 and $100 on in-app purchases, and 33 spent more than $100. That means .33% of users in the sample produced about 90% of the income in these transactions.
This sizable purchasing disparity isn’t just common in mobile games but encouraged. Users who spend large amounts of money on in-app purchases for mobile games are called “whales.” These users are prized and preyed on by mobile games to increase their profits. The use of gambling mechanics such as loot boxes or locking in-game progress behind increasingly-long timers which are reduced or eliminated by in-app purchases are just a couple of ways for these game publishers to siphon money from these whales. Whales are often tracked by publishers and heavily targeted with ads and special offers to increase the likelihood of purchase.
While we cannot comment on if Battle for the Galaxy specifically uses predatory business practices, these practices, especially loot boxes, are common in the bulk of free-to-play mobile games as well as console/PC games, like Overwatch, League of Legends, and Fortnite. Fortnite’s practices were so egregious that its publisher, Epic Games, was sued in 2019 and settled by giving away 1,000 of its in-game V-Bucks currency to claimants. Fortnite discontinued its loot box practices in 2019, revealing what users would be getting in the game’s Loot Llamas before purchase.
What Are the Risks and How to Protect Yourself
Scams, Phishing, and Malware: It is common for unethical hackers and criminals on the Internet to use personal data to create trustworthy phishing emails. The more information they possess, the more believable these emails look. For example, with the email addresses and specific details of user issues with the service such as in transactions and developer messages could allow bad actors to pose as game support and direct users to malicious websites where their credit card details can be stolen. With data on how much money has been spent per account, these conmen could target the highest-paying users, many of whom are children judging by their game history, time spent in game, circle of friends in-game, etc. and have an even higher chance of success than they would otherwise.
Corporate Espionage: With these emails, competing games could attempt to migrate or target users with advertising and email campaigns.
Unfortunately, the above list is not comprehensive, and cybercriminals are always generating new methods to exploit anyone vulnerable on the Internet. However, users have ways to protect themselves.
For future purposes, we recommend always inputting the bare minimum of information when making a purchase or setting up an account on the Internet. The less information you give hackers to work with, the less vulnerable you are to attack.
Though most email clients have methods to block spam and phishing attempts, they are not 100% effective. When receiving an unexpected email from a seemingly trustworthy source, do not open any attachments. Phishing emails often use scare tactics to force users to open the attachment. If you are ever unsure about an email from a trustworthy company, give them a call. This will usually let you verify whether the attachment is legitimate or not. A good antivirus program can also aid in protection from malware, trojans, and other dangers.
If you are a parent with a child who plays mobile games or games with predatory mechanics like loot boxes, it is recommended you do not give them access to your credit card. This will keep them safe from phishing scammers attempting to exploit them and you for profit. If your child wants to buy something from a game’s store, complete the process for them then delete your credit card information from your phone as soon as possible.
In cases of potential corporate espionage, companies should warn their clients of the breach as soon as possible to ensure their clients’ vigilance and safety.
Original post at: https://www.wizcase.com/blog/amt-games-leak/
About the author: Chase Williams
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, AMT Games)
Share this: Twitter